A draft agreement between the U.S. and the E.U. about sharing air passenger information was leaked to the Guardian, prompting outrage over what civil liberties groups say is an invasion of privacy and what creates greater potential for data mining of sensitive information.

The personal information of millions of European travelers could be stored by the U.S. Department of Homeland Security for 15 years if an agreement being worked out between the U.S. and E.U. is approved. Under the proposal, credit card info, phone numbers and home addresses of those flying from anywhere in Europe to the U.S. would be monitored and checked against watch lists and no-fly lists to combat terrorism, crime and illegal immigration. Currently, that information is stored for five years under the E.U.’s Passenger Name Record system (PNR) and is handed over to U.S. customs by airlines 72 hours before departure. The new rules would require that information to be dispatched 96 hours ahead of departure and would triple the length of time that the sensitive passenger data would be stored.

The leak of the document comes just a week after the U.S. Senate passed a resolution saying it “simply could not accept” any lesser methods of data-sharing because the process is “an important part of our layered defenses against terrorism.” But European civil liberties groups are crying foul not only because of privacy concerns but also for concerns over profiling. The agreement notes that in exceptional circumstances, ethnic origin, political opinions, and details of health or sex life can be used if necessary to an investigation. In attempts to allay some of these fears, the document includes provisions that would mask individuals’ identities after six months. Then after five years, the data would be transferred to a dormant database with the possibility of restoring said information while it is stored for the remaining 10 years.

Jan Philip Albrecht, a German green party member of the European parliament’s civil liberties committee called the agreement “a huge infringement of data protection principles.”